This blog is dedicated to computer forensic research and topics that I come across that I feel are both beneficial to the forensic community and interesting/useful information to read. This is my own personal opinion and work and does not reflect any entity except for myself unless expressed otherwise.

Thursday, February 7, 2013

Creating a Citrix VDI for Digital Forensic Analysis

If the past few weeks have taught me anything so far,
it would be that the process of creating a Citrix environment is rather
difficult. What seemed like it would be
rather cut and dry installing and setting up a few basic parameters has easily
turned into what may be the hardest part of the project.

My initial issue was attempting to find a location
that I could actually set a miniature virtual environment up in. My first thoughts were almost to the level of
Inception – a virtual machine hypervisor hosting a virtual machine domain
controller delegating IP’s to multiple virtual machines that are each being
hosted by…surprise!, a virtual machine (Citrix’s
vdiManager). For any of you that follow
meme’s, I’m pretty sure Xzibit would have something to say about my attempt
here (if you don’t get the reference, see here). Needless to say, it was an idea I dropped
pretty quickly and went on to finding some hardware that I could use instead.

Fortunately, the Senator Patrick Leahy Center for
Digital Investigation (LCDI) has multiple servers, and one of them wasn't currently in use. This gave me the
server that I needed for my hypervisor, and from here I was able to start
moving forward. The first go around with
real hardware involved setting up an ESXi 5 hypervisor on the Dell Server that would
be used to host a virtual machine of XenServer.
After doing some quick setup with this, which was rather painless, I ran
into a few roadblocks. Attempting to
create a Windows virtual machine using XenServer hosted on top of ESXi 5
prompted multiple errors and wouldn’t allow for appropriate virtualization to ensue. Turns out I managed to overlook the fact that
XenServer is a hypervisor and not similar to Windows Server that would rest on
top of a hypervisor.

It tends to work out more often than not that the third
time is the charm, and so far my third attempt is looking that way. This go around, I installed XenServer as the
hypervisor on the server and then hosted vdiManager to it. I am using Citrix’s VDI-in-a-Box (ViaB) to
quickly set up a small environment that doesn’t require multiple protocols and
variables to be put into place that their other programs, such as Virtual
Desktop, would.

There
have definitely been a few stopping points that have been frustrating, but it’s
more little things on the internal network that I needed to tweak. For example, it was necessary to create a new
domain controller due to limitations and restrictions set in place on the current
domain controller. After I recognized a
few of the simple networking problems, moving forward started to become easier
and easier.

Setup Overview for VDI-in-a-Box

The
next frustrating stop with my process came very quickly, though, and again I
started face-palming every few minutes wondering why I couldn't get it working. In order to host a VM to vdiManager to create
a base image, RDP needs to be configured as does File and Printer sharing. Although this is one of the most basic things
to do on a computer, my virtual machine just wouldn’t have it. Yet again though, some quick network
troubleshooting and I noticed that the DNS was incorrect, changed it, and the
settings were up and running. Finally,
at long last, the conversion to upload the image was beginning.

Stepping
back from the setup process of the environment, it is important to take a look
at the semantics of this project and the blogs that I will be writing. My initial blog post stated that I would be
looking at the difference between persistent and non-persistent VDI’s. Though this is still the case and nothing has
changed, ViaB uses different terminology to describe these two states of an
image. A persistent image is known as a “personal
desktop”, and a non-persistent image is referenced as a “pooled desktop.” Please take note that, although I will try to
keep my own wording consistent, there may be images and references throughout
to pooled versus personal desktops.

Template setup for Pooled vs Personal (Non-persistent vs Persistent)

Check back in the near future for more updates on the progress of this project. The environment should be finished setting up soon, and not too long after the real fun should start!

3 comments:

I think VDI-in-a-Box bypasses the need for them to be registered, which is rather convenient in terms of getting it set up quickly. I didn't need to install any of the additional components on the XenServer itself, such as a desktop director interface.

The most important thing with ViaB is to remember to assign users to templates and to ensure the client machines have Citrix Receiver installed - this threw me for a loop for quite a while. I didn't realize that a simple RDP connection was not enough!